README
¶
oidc
Experimental OIDC/Webauthn server
Documentation
¶
Overview ¶
Package oidc implements an OIDC client library
Index ¶
- Constants
- type Audience
- type AuthCodeOption
- type Claims
- type Client
- func (c *Client) AuthCodeURL(state string, opts ...AuthCodeOption) string
- func (c *Client) Exchange(ctx context.Context, code string) (*Token, error)
- func (c *Client) SetClientSecret(secret string)
- func (c *Client) SetRedirectURL(redirectURL string)
- func (c *Client) TokenSource(ctx context.Context, t *Token) TokenSource
- func (c *Client) Userinfo(ctx context.Context, token *Token) (*Userinfo, error)
- type ClientOpt
- type HTTPError
- type KeySource
- type StaticKeysource
- type Token
- type TokenSource
- type Transport
- type UnixTime
- type Userinfo
- type Verifier
- type VerifyOpt
Constants ¶
View Source
const (
// ScopeOfflineAccess requests a refresh token
ScopeOfflineAccess = "offline_access"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Audience ¶
type Audience []string
Audience represents a OIDC ID Token's Audience field.
func (Audience) MarshalJSON ¶
func (*Audience) UnmarshalJSON ¶
type AuthCodeOption ¶
type AuthCodeOption func(*authCodeCfg)
AuthCodeOption can be used to modify the auth code URL that is generated.
func AddScopes ¶
func AddScopes(scopes []string) AuthCodeOption
AddScopes adds additional scopes to this URL only
type Claims ¶
type Claims struct {
// REQUIRED. Issuer Identifier for the Issuer of the response. The iss value
// is a case sensitive URL using the https scheme that contains scheme,
// host, and optionally, port number and path components and no query or
// fragment components.
Issuer string `json:"iss,omitempty"`
// REQUIRED. Subject Identifier. A locally unique and never reassigned
// identifier within the Issuer for the End-User, which is intended to be
// consumed by the Client, e.g., 24400320 or
// AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII
// characters in length. The sub value is a case sensitive string.
Subject string `json:"sub,omitempty"`
// REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain
// the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY
// also contain identifiers for other audiences.
Audience Audience `json:"aud,omitempty"`
// REQUIRED. Expiration time on or after which the ID Token MUST NOT be
// accepted for processing. The processing of this parameter requires that
// the current date/time MUST be before the expiration date/time listed in
// the value. Implementers MAY provide for some small leeway, usually no
// more than a few minutes, to account for clock skew.
Expiry UnixTime `json:"exp,omitempty"`
// OPTIONAL. The "nbf" (not before) claim identifies the time before which
// the JWT MUST NOT be accepted for processing. The processing of the "nbf"
// claim requires that the current date/time MUST be after or equal to the
// not-before date/time listed in the "nbf" claim. Implementers MAY provide
// for some small leeway, usually no more than a few minutes, to account for
// clock skew. Its value MUST be a number containing a NumericDate value.
NotBefore UnixTime `json:"nbf,omitempty"`
// REQUIRED. Time at which the JWT was issued.
IssuedAt UnixTime `json:"iat,omitempty"`
// Time when the End-User authentication occurred. Its value is a JSON
// number representing the number of seconds from 1970-01-01T0:0:0Z as
// measured in UTC until the date/time. When a max_age request is made or
// when auth_time is requested as an Essential Claim, then this Claim is
// REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim
// semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time
// response parameter.)
AuthTime UnixTime `json:"auth_time,omitempty"`
// String value used to associate a Client session with an ID Token, and to
// mitigate replay attacks. The value is passed through unmodified from the
// Authentication Request to the ID Token. If present in the ID Token,
// Clients MUST verify that the nonce Claim Value is equal to the value of
// the nonce parameter sent in the Authentication Request. If present in the
// Authentication Request, Authorization Servers MUST include a nonce Claim
// in the ID Token with the Claim Value being the nonce value sent in the
// Authentication Request. Authorization Servers SHOULD perform no other
// processing on nonce values used. The nonce value is a case sensitive
// string.
Nonce string `json:"nonce,omitempty"`
// OPTIONAL. Authentication Context Class Reference. String specifying an
// Authentication Context Class Reference value that identifies the
// Authentication Context Class that the authentication performed satisfied.
// The value "0" indicates the End-User authentication did not meet the
// requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a
// long-lived browser cookie, for instance, is one example where the use of
// "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used
// to authorize access to any resource of any monetary value. (This
// corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An
// absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as
// the acr value; registered names MUST NOT be used with a different meaning
// than that which is registered. Parties using this claim will need to
// agree upon the meanings of the values used, which may be
// context-specific. The acr value is a case sensitive string.
ACR string `json:"acr,omitempty"`
// OPTIONAL. Authentication Methods References. JSON array of strings that
// are identifiers for authentication methods used in the authentication.
// For instance, values might indicate that both password and OTP
// authentication methods were used. The definition of particular values to
// be used in the amr Claim is beyond the scope of this specification.
// Parties using this claim will need to agree upon the meanings of the
// values used, which may be context-specific. The amr value is an array of
// case sensitive strings.
AMR []string `json:"amr,omitempty"`
// OPTIONAL. Authorized party - the party to which the ID Token was issued.
// If present, it MUST contain the OAuth 2.0 Client ID of this party. This
// Claim is only needed when the ID Token has a single audience value and
// that audience is different than the authorized party. It MAY be included
// even when the authorized party is the same as the sole audience. The azp
// value is a case sensitive string containing a StringOrURI value.
AZP string `json:"azp,omitempty"`
// Extra are additional claims, that the standard claims will be merged in
// to. If a key is overridden here, the struct value wins.
Extra map[string]interface{} `json:"-"`
// contains filtered or unexported fields
}
Claims represents the set of JWT claims for the user.
https://openid.net/specs/openid-connect-core-1_0.html#Claims
func (Claims) MarshalJSON ¶
func (*Claims) Unmarshal ¶
Unmarshal unpacks the raw JSON data from this token into the passed type.
func (*Claims) UnmarshalJSON ¶
type Client ¶
type Client struct {
Verifier
// contains filtered or unexported fields
}
func DiscoverClient ¶
func DiscoverClient(ctx context.Context, issuer, clientID, clientSecret, redirectURL string, opts ...ClientOpt) (*Client, error)
DiscoverClient will create a client based on the OIDC discovery of the given issuer. It will use the returned information to configure the client, and will use it to create a KeySource that discovers published keys as needed.
func NewClient ¶
func NewClient(md *discovery.ProviderMetadata, ks KeySource, clientID, clientSecret, redirectURL string, opts ...ClientOpt) *Client
NewClient creates a client directly from the passed in information
func (*Client) AuthCodeURL ¶
func (c *Client) AuthCodeURL(state string, opts ...AuthCodeOption) string
AuthCodeURL returns the URL the user should be directed to to initiate the code auth flow.
func (*Client) Exchange ¶
Exchange the returned code for a set of tokens. If the exchange fails and returns an oauth2 error response, the returned error will be an `*github.com/parot/oidc/oauth2.TokenError`. If a HTTP error occurs, a *HTTPError will be returned.
func (*Client) SetClientSecret ¶
SetClientSecret updates the oauth2 client secret this client is configured for.
func (*Client) SetRedirectURL ¶
SetRedirectURL updates the redirect URL this client is configured for.
func (*Client) TokenSource ¶
func (c *Client) TokenSource(ctx context.Context, t *Token) TokenSource
type ClientOpt ¶
type ClientOpt func(*Client)
ClientOpt can be used to customize the client nolint:golint
func WithACRValues ¶
WithACRValues sets the ACR values to request. If enforce is true, the resultant ID token will be checked to make sure it matches one of the requested values, and an error will be returned if it doesn't
func WithAdditionalScopes ¶
WithAdditionalScopes will set the given scopes on all AuthCode requests. This is in addition to the default "openid" scopes
type HTTPError ¶
HTTPError indicates a generic HTTP error occurred during an interaction. It exposes details about the returned response, as well as the original error
type StaticKeysource ¶
type StaticKeysource struct {
// contains filtered or unexported fields
}
func NewStaticKeysource ¶
func NewStaticKeysource(keys jose.JSONWebKeySet) *StaticKeysource
type Token ¶
type Token struct {
AccessToken string `json:"access_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
Expiry time.Time `json:"expiry,omitempty"`
Claims Claims `json:"claims,omitempty"`
IDToken string `json:"id_token,omitempty"`
}
Token encapsulates the data returned from the token endpoint
type TokenSource ¶
type TokenSource interface {
// Token returns a token or an error.
// The returned Token must not be modified
Token(ctx context.Context) (*Token, error)
}
TokenSource fetches OIDC tokens.
type Transport ¶
type Transport struct {
TokenSource
// Base is the base RoundTripper to make HTTP requests. If nil,
// http.DefaultTransport is used.
Base http.RoundTripper
}
type UnixTime ¶
type UnixTime int64
UnixTime represents the number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. This is the type IDToken uses to represent dates
func NewUnixTime ¶
NewUnixTime creates a UnixTime from the given Time, t
func (UnixTime) MarshalJSON ¶
func (*UnixTime) UnmarshalJSON ¶
type Verifier ¶
type Verifier struct {
// contains filtered or unexported fields
}
func DiscoverVerifier ¶
func NewVerifier ¶
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
Package core is an library implementation of helpers for implementing the core OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html).
|
Package core is an library implementation of helpers for implementing the core OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html). |
|
Package discovery implements both a server handler and client side for interacting with the OIDC discovery mechanism.
|
Package discovery implements both a server handler and client side for interacting with the OIDC discovery mechanism. |
|
Package e2e contains high-level smoke tests for this module
|
Package e2e contains high-level smoke tests for this module |
|
Package oauth2 implements base primitives for parsing oauth2 messages and errors
|
Package oauth2 implements base primitives for parsing oauth2 messages and errors |
|
proto
|
|
|
Package signer implemnts a common signing/verification interface for OIDC usage.
|
Package signer implemnts a common signing/verification interface for OIDC usage. |
Click to show internal directories.
Click to hide internal directories.